310 lines
8.1 KiB
Groff
310 lines
8.1 KiB
Groff
|
.\" @(#) $Header: /tcpdump/master/libpcap/Attic/pcap-linktype.4,v 1.1 2008-04-05 20:19:41 guy Exp $
|
||
|
.\"
|
||
|
.\" Copyright (c) 1987, 1988, 1989, 1990, 1991, 1992, 1994, 1995, 1996, 1997
|
||
|
.\" The Regents of the University of California. All rights reserved.
|
||
|
.\" All rights reserved.
|
||
|
.\"
|
||
|
.\" Redistribution and use in source and binary forms, with or without
|
||
|
.\" modification, are permitted provided that: (1) source code distributions
|
||
|
.\" retain the above copyright notice and this paragraph in its entirety, (2)
|
||
|
.\" distributions including binary code include the above copyright notice and
|
||
|
.\" this paragraph in its entirety in the documentation or other materials
|
||
|
.\" provided with the distribution, and (3) all advertising materials mentioning
|
||
|
.\" features or use of this software display the following acknowledgement:
|
||
|
.\" ``This product includes software developed by the University of California,
|
||
|
.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
|
||
|
.\" the University nor the names of its contributors may be used to endorse
|
||
|
.\" or promote products derived from this software without specific prior
|
||
|
.\" written permission.
|
||
|
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
|
||
|
.\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
|
||
|
.\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||
|
.\"
|
||
|
.TH PCAP-LINKTYPE 4 "4 April 2008"
|
||
|
.SH NAME
|
||
|
pcap-linktype \- link-layer header types supported by libpcap
|
||
|
.SH DESCRIPTION
|
||
|
Libpcap supplies for a live capture or ``savefile'' value that indicates
|
||
|
the type of link-layer header at the beginning of the packets it
|
||
|
provides. This is not necessarily the type of link-layer header that
|
||
|
the packets being captured have on the network from which they're being
|
||
|
captured; for example, packets from an IEEE 802.11 network might be
|
||
|
provided by libpcap with Ethernet headers that the network adapter or
|
||
|
the network adapter driver generates from the 802.11 headers.
|
||
|
.PP
|
||
|
The link-layer header types supported by libpcap are:
|
||
|
.RS 5
|
||
|
.TP 5
|
||
|
.B DLT_NULL
|
||
|
BSD loopback encapsulation; the link layer header is a 4-byte field, in
|
||
|
.I host
|
||
|
byte order, containing a PF_ value from
|
||
|
.B socket.h
|
||
|
for the network-layer protocol of the packet.
|
||
|
.IP
|
||
|
Note that ``host byte order'' is the byte order of the machine on which
|
||
|
the packets are captured, and the PF_ values are for the OS of the
|
||
|
machine on which the packets are captured; if a live capture is being
|
||
|
done, ``host byte order'' is the byte order of the machine capturing the
|
||
|
packets, and the PF_ values are those of the OS of the machine capturing
|
||
|
the packets, but if a ``savefile'' is being read, the byte order and PF_
|
||
|
values are
|
||
|
.I not
|
||
|
necessarily those of the machine reading the capture file.
|
||
|
.TP 5
|
||
|
.B DLT_EN10MB
|
||
|
Ethernet (10Mb, 100Mb, 1000Mb, and up)
|
||
|
.TP 5
|
||
|
.B DLT_IEEE802
|
||
|
IEEE 802.5 Token Ring
|
||
|
.TP 5
|
||
|
.B DLT_ARCNET
|
||
|
ARCNET
|
||
|
.TP 5
|
||
|
.B DLT_SLIP
|
||
|
SLIP; the link layer header contains, in order:
|
||
|
.RS 10
|
||
|
.LP
|
||
|
a 1-byte flag, which is 0 for packets received by the machine and 1 for
|
||
|
packets sent by the machine;
|
||
|
.LP
|
||
|
a 1-byte field, the upper 4 bits of which indicate the type of packet,
|
||
|
as per RFC 1144:
|
||
|
.RS 5
|
||
|
.TP 5
|
||
|
0x40
|
||
|
an unmodified IP datagram (TYPE_IP);
|
||
|
.TP 5
|
||
|
0x70
|
||
|
an uncompressed-TCP IP datagram (UNCOMPRESSED_TCP), with that byte being
|
||
|
the first byte of the raw IP header on the wire, containing the
|
||
|
connection number in the protocol field;
|
||
|
.TP 5
|
||
|
0x80
|
||
|
a compressed-TCP IP datagram (COMPRESSED_TCP), with that byte being the
|
||
|
first byte of the compressed TCP/IP datagram header;
|
||
|
.RE
|
||
|
.LP
|
||
|
for UNCOMPRESSED_TCP, the rest of the modified IP header, and for
|
||
|
COMPRESSED_TCP, the compressed TCP/IP datagram header;
|
||
|
.RE
|
||
|
.RS 5
|
||
|
.LP
|
||
|
for a total of 16 bytes; the uncompressed IP datagram follows the header.
|
||
|
.RE
|
||
|
.TP 5
|
||
|
.B DLT_PPP
|
||
|
PPP; if the first 2 bytes are 0xff and 0x03, it's PPP in HDLC-like
|
||
|
framing, with the PPP header following those two bytes, otherwise it's
|
||
|
PPP without framing, and the packet begins with the PPP header.
|
||
|
.TP 5
|
||
|
.B DLT_FDDI
|
||
|
FDDI
|
||
|
.TP 5
|
||
|
.B DLT_ATM_RFC1483
|
||
|
RFC 1483 LLC/SNAP-encapsulated ATM; the packet begins with an IEEE 802.2
|
||
|
LLC header.
|
||
|
.TP 5
|
||
|
.B DLT_RAW
|
||
|
raw IP; the packet begins with an IP header.
|
||
|
.TP 5
|
||
|
.B DLT_PPP_SERIAL
|
||
|
PPP in HDLC-like framing, as per RFC 1662, or Cisco PPP with HDLC
|
||
|
framing, as per section 4.3.1 of RFC 1547; the first byte will be 0xFF
|
||
|
for PPP in HDLC-like framing, and will be 0x0F or 0x8F for Cisco PPP
|
||
|
with HDLC framing.
|
||
|
.TP 5
|
||
|
.B DLT_PPP_ETHER
|
||
|
PPPoE; the packet begins with a PPPoE header, as per RFC 2516.
|
||
|
.TP 5
|
||
|
.B DLT_C_HDLC
|
||
|
Cisco PPP with HDLC framing, as per section 4.3.1 of RFC 1547.
|
||
|
.TP 5
|
||
|
.B DLT_IEEE802_11
|
||
|
IEEE 802.11 wireless LAN
|
||
|
.TP 5
|
||
|
.B DLT_FRELAY
|
||
|
Frame Relay
|
||
|
.TP 5
|
||
|
.B DLT_LOOP
|
||
|
OpenBSD loopback encapsulation; the link layer header is a 4-byte field, in
|
||
|
.I network
|
||
|
byte order, containing a PF_ value from OpenBSD's
|
||
|
.B socket.h
|
||
|
for the network-layer protocol of the packet.
|
||
|
.IP
|
||
|
Note that, if a ``savefile'' is being read, those PF_ values are
|
||
|
.I not
|
||
|
necessarily those of the machine reading the capture file.
|
||
|
.TP 5
|
||
|
.B DLT_LINUX_SLL
|
||
|
Linux "cooked" capture encapsulation; the link layer header contains, in
|
||
|
order:
|
||
|
.RS 10
|
||
|
.LP
|
||
|
a 2-byte "packet type", in network byte order, which is one of:
|
||
|
.RS 5
|
||
|
.TP 5
|
||
|
0
|
||
|
packet was sent to us by somebody else
|
||
|
.TP 5
|
||
|
1
|
||
|
packet was broadcast by somebody else
|
||
|
.TP 5
|
||
|
2
|
||
|
packet was multicast, but not broadcast, by somebody else
|
||
|
.TP 5
|
||
|
3
|
||
|
packet was sent by somebody else to somebody else
|
||
|
.TP 5
|
||
|
4
|
||
|
packet was sent by us
|
||
|
.RE
|
||
|
.LP
|
||
|
a 2-byte field, in network byte order, containing a Linux ARPHRD_ value
|
||
|
for the link layer device type;
|
||
|
.LP
|
||
|
a 2-byte field, in network byte order, containing the length of the
|
||
|
link layer address of the sender of the packet (which could be 0);
|
||
|
.LP
|
||
|
an 8-byte field containing that number of bytes of the link layer header
|
||
|
(if there are more than 8 bytes, only the first 8 are present);
|
||
|
.LP
|
||
|
a 2-byte field containing an Ethernet protocol type, in network byte
|
||
|
order, or containing 1 for Novell 802.3 frames without an 802.2 LLC
|
||
|
header or 4 for frames beginning with an 802.2 LLC header.
|
||
|
.RE
|
||
|
.TP 5
|
||
|
.B DLT_LTALK
|
||
|
Apple LocalTalk; the packet begins with an AppleTalk LLAP header.
|
||
|
.TP 5
|
||
|
.B DLT_PFLOG
|
||
|
OpenBSD pflog; the link layer header contains, in order:
|
||
|
.RS 10
|
||
|
.LP
|
||
|
a 1-byte header length, in host byte order;
|
||
|
.LP
|
||
|
a 4-byte PF_ value, in host byte order;
|
||
|
.LP
|
||
|
a 2-byte action code, in network byte order, which is one of:
|
||
|
.RS 5
|
||
|
.TP 5
|
||
|
0
|
||
|
passed
|
||
|
.TP 5
|
||
|
1
|
||
|
dropped
|
||
|
.TP 5
|
||
|
2
|
||
|
scrubbed
|
||
|
.RE
|
||
|
.LP
|
||
|
a 2-byte reason code, in network byte order, which is one of:
|
||
|
.RS 5
|
||
|
.TP 5
|
||
|
0
|
||
|
match
|
||
|
.TP 5
|
||
|
1
|
||
|
bad offset
|
||
|
.TP 5
|
||
|
2
|
||
|
fragment
|
||
|
.TP 5
|
||
|
3
|
||
|
short
|
||
|
.TP 5
|
||
|
4
|
||
|
normalize
|
||
|
.TP 5
|
||
|
5
|
||
|
memory
|
||
|
.RE
|
||
|
.LP
|
||
|
a 16-character interface name;
|
||
|
.LP
|
||
|
a 16-character ruleset name (only meaningful if subrule is set);
|
||
|
.LP
|
||
|
a 4-byte rule number, in network byte order;
|
||
|
.LP
|
||
|
a 4-byte subrule number, in network byte order;
|
||
|
.LP
|
||
|
a 1-byte direction, in network byte order, which is one of:
|
||
|
.RS 5
|
||
|
.TP 5
|
||
|
0
|
||
|
incoming or outgoing
|
||
|
.TP 5
|
||
|
1
|
||
|
incoming
|
||
|
.TP 5
|
||
|
2
|
||
|
outgoing
|
||
|
.RE
|
||
|
.RE
|
||
|
.TP 5
|
||
|
.B DLT_PRISM_HEADER
|
||
|
Prism monitor mode information followed by an 802.11 header.
|
||
|
.TP 5
|
||
|
.B DLT_IP_OVER_FC
|
||
|
RFC 2625 IP-over-Fibre Channel, with the link-layer header being the
|
||
|
Network_Header as described in that RFC.
|
||
|
.TP 5
|
||
|
.B DLT_SUNATM
|
||
|
SunATM devices; the link layer header contains, in order:
|
||
|
.RS 10
|
||
|
.LP
|
||
|
a 1-byte flag field, containing a direction flag in the uppermost bit,
|
||
|
which is set for packets transmitted by the machine and clear for
|
||
|
packets received by the machine, and a 4-byte traffic type in the
|
||
|
low-order 4 bits, which is one of:
|
||
|
.RS 5
|
||
|
.TP 5
|
||
|
0
|
||
|
raw traffic
|
||
|
.TP 5
|
||
|
1
|
||
|
LANE traffic
|
||
|
.TP 5
|
||
|
2
|
||
|
LLC-encapsulated traffic
|
||
|
.TP 5
|
||
|
3
|
||
|
MARS traffic
|
||
|
.TP 5
|
||
|
4
|
||
|
IFMP traffic
|
||
|
.TP 5
|
||
|
5
|
||
|
ILMI traffic
|
||
|
.TP 5
|
||
|
6
|
||
|
Q.2931 traffic
|
||
|
.RE
|
||
|
.LP
|
||
|
a 1-byte VPI value;
|
||
|
.LP
|
||
|
a 2-byte VCI field, in network byte order.
|
||
|
.RE
|
||
|
.TP 5
|
||
|
.B DLT_IEEE802_11_RADIO
|
||
|
link-layer information followed by an 802.11 header - see
|
||
|
http://www.shaftnet.org/~pizza/software/capturefrm.txt for a description
|
||
|
of the link-layer information.
|
||
|
.TP 5
|
||
|
.B DLT_ARCNET_LINUX
|
||
|
ARCNET, with no exception frames, reassembled packets rather than raw
|
||
|
frames, and an extra 16-bit offset field between the destination host
|
||
|
and type bytes.
|
||
|
.TP 5
|
||
|
.B DLT_LINUX_IRDA
|
||
|
Linux-IrDA packets, with a
|
||
|
.B DLT_LINUX_SLL
|
||
|
header followed by the IrLAP header.
|
||
|
.TP 5
|
||
|
.B DLT_LINUX_LAPD
|
||
|
LAPD (Q.921) frames, with a
|
||
|
.B DLT_LINUX_SLL
|
||
|
header captured via vISDN.
|
||
|
.RE
|